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Controlling Access to Medical Records 


Field of the Invention 

The present invention relates generally to methods and systems for 
5 managing access to medical records held in a medical record database. More 
particularly, the invention relates to a method and system whereby a patient can 
control the access of healthcare providers to his or her personal medical 
records. 

1 0 Background to the Invention 

Patient medical records including information such as medical history, 
diagnostic images, diagnostic test results or reports are often stored in digital 
form on medical record databases which may be accessed by healthcare 
professionals who are involved in treatment of patients. Examples of such 
15 medical record databases may be Picture Archiving and Communication 
Systems (PACS), Pathology Information Systems, Radiology Information 
Systems, Electronic Patient Record Systems, or the like, or any combination of 
these. 

Medical record databases typically do not provide sufficient transparency 
20 to the patient regarding who can access and modify the patients medical 
records. Medical record databases usually grant access upon entry of a 
username/password combination that is assigned to each healthcare provider. 
Medical record databases often implement relatively complicated access 
policies and authentication methods, whilst still granting a large number of 
25 medical professionals unnecessary access to patient medical records. The 
group of healthcare providers that have access to a patient's medical records is 
normally much larger than the group of healthcare providers who are involved in 
the patient's treatment. With each individual who has unnecessary access to a 
patients medical records, the risk of data abuse or unauthorized access 
30 increases. Therefore the privacy of the patient is severely compromised. 

It has been suggested that a nationwide or worldwide patient record 
database could be beneficial for patient treatment, by permitting a patient's 
medical history, prior diagnostic results, as well as diagnostic images to be 
made available to any treating medical professional. Access to this information 
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could support healthcare providers in making decisions which will benefit the 
patient. However provision of a nationwide or worldwide patient record 
database would grant access to thousands of medical professionals and 
healthcare providing organizations to each patients personal medical records. 
5 Preventing unauthorized access to private information becomes very difficult. 

Summary of the Invention 

According to a first aspect of the present invention, there is provided a 
method for controlling the access of healthcare providers to the medical records 
10 of a patient held in a medical record database, the method including the steps 
of: 

(a) the patient determining access rights to be granted to one or more 
healthcare providers; 

(b) generating an access authorisation message which specifies the access 
15 rights; 

(c) transmitting the access authorisation message from the patient to one or 
more healthcare providers; 

(d) transmitting the access authorisation message together with a request 
for access to the patient's medical records from the healthcare provider to the 

20 medical record database; 

(e) verifying that the access authorisation message originated from the 
patient; 

wherein the healthcare provider is granted access to the patient's 
medical records in accordance with the access authorisation message if it can 

25 be verified that the access authorisation message originated from the patient 
whose medical records the health provider wishes to access. 

In a preferred embodiment of the invention, the verification that the 
access authorisation message originates from the patient involves 
authenticating a digital signature accompanying the access authorisation 

30 message. Preferably, the digital signature is generated by a private encryption 
key associated with the patient and the medical record database authenticates 
the digital signature using a public decryption key which corresponds to the 
private encryption key. 
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In one form of the invention, the access rights determined by the patient 
are entered into a personal electronic device via an associated user interface 
and the personal electronic device generates the corresponding access 
authorisation message for transmission to the healthcare provider. The 
5 personal electronic device may include a private encryption key associated with 
the patient which is used to generate the digital signature which accompanies 
the access authorisation message. 

The access authorisation message may include any one or more of the 
. following restrictions: 
10 (a) a time interval during which access is authorised; 

(b) a category of medical data to which access is authorised; or 

(c) a type of access which is authorised. 

Preferably, the medical record database is accessible to healthcare 
providers over a network. 
15 The access authorisation message may further include an identifier 

corresponding to the healthcare provider to whom access is granted by the 
patient. 

In an alternative embodiment of the present invention, the personal 
electronic device is password protected. According to yet another alternative 
20 embodiment, the personal electronic device is activated using one or more 
forms of biometric data associated with the patient. 

In one particular embodiment of the invention, the medical record 
database verifies that the access authorisation message originated from the 
patient using a password transmitted by the patient to the healthcare provider 
25 together with the access authorisation message. 

According to a second aspect of the present invention, there is provided 
a system for controlling the access of healthcare providers to the medical 
records of a patient held in a medical record database, the system including: 

(a) an input component for entering patient determined access rights to be 
30 granted to one or more healthcare providers; 

(b) a processor for generating an access authorisation message that 
specifies the access rights; 

(c) a first transmitter for transmitting the access authorisation message from 
the patient to one or more healthcare providers; 
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(d) a second transmitter for transmitting the access authorisation message 
together with a request for access to the patients medical records from the 
healthcare provider to the medical record database; 

(e) a verification component for verifying that the access authorisation 
5 message originated from the patient; 

wherein the healthcare provider is* granted access to the patient's 
medical records in accordance with the access authorisation message if it can 
be verified that the access authorisation message originated from the patient 
whose medical records the health provider wishes to access. 

10 Preferably, the verification component verifies that the access 

authorisation message originates from the patient by authenticating a digital 
signature accompanying the access authorisation message. 

The processor may be provided as part of a personal electronic device 
selected from one of the following: 

15 (a) smart card; 

(b) mobile telephone; or 

(c) personal digital assistant. 

Preferably, the input component is a user interface associated with the 
personal electronic device. 

20 In a preferred embodiment of the present invention, the processor stores 

a private encryption key associated with the patient, the private encryption key 
being used to generate the digital signature and the verification component 
authenticates the digital signature using a public decryption key which 
corresponds to the private encryption key. 

25 The medical record database is preferably accessible to healthcare 

providers over a network. 

In one alternative form of the invention, the personal electronic device is 
password protected. In another form, the personal electronic device is activated 
using one or more forms of biometric data associated with the patient. 

30 It is an advantage of the present invention that patients can control 

access to their personal medical records. Patients can grant and revoke access 
and also grant access to selected data only or for a limited interval of time. 

It is a further advantage of the present invention that facilitating patient 
control over personal medical records is likely to lead to greater public 
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acceptance of mass electronic storage of personal medical records by giving 
patients confidence that only those medical professionals directly involved in the 
patients treatment will have access to his or her medical history, diagnostic test 
results, diagnostic images, etc. 

5 

Brief Description of the Drawings 

The invention will now be described in further detail by reference to the 
attached drawings illustrating example forms of the invention. It is to be 
understood that the particularity of the drawings does not supersede the 
1 0 generality of the preceding description of the invention. In the drawings: 

Figure 1 is a schematic diagram showing the data flow between system 
components in accordance with an embodiment of the present invention. 

Figure 2 is a flow chart showing the access restriction and authentication 
process in accordance with an embodiment of the present invention. 

15 

Detailed Description 

Referring firstly to Figure 1, any healthcare provider such as a doctor, 
dentist, surgeon, chiropractor, physiotherapist or other medical professional 
may be granted access to a medical record database 10. The medical record 

20 database 10 could be a corporate wide, nation wide or worldwide medical 
record database and is provided on a network which is readily accessible to 
healthcare providers, such as the Internet. Patients are enabled to control the 
access of healthcare providers to their personal medical records by specifying 
access rights and issuing them to those healthcare providers that are involved 

25 in the patient's treatment. 

The patient's medical records that are held on the medical record 
database 10 may include data such as medical history, diagnostic test results 
such as blood tests and pathology reports and diagnostic images such as 
radiographs. The patient can determine the extent of access to be provided to 

30 healthcare providers on the basis of what data is pertinent to the treatment that 
the patient is currently seeking. For example, a chiropractor would not 
necessarily need to know that a patient is HIV positive. This enables the patient 
to have direct control as to by whom and when his or her private medical 
records will be accessed. 
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The access rights that may be specified by the patient may include 
restrictions relating to a time interval for which access is granted, for example, 
for the month of May 2004. In addition, or alternately, the patient may be 
concerned about the type of data that can be accessed by healthcare providers. 
5 For instance, the patient may wish to grant access only to those diagnostic test 
results which are pertinent to current treatment and not those relating to other 
complaints which are not relevant to the current treatment regime. 
Furthermore, the patient may be prepared to grant a number of healthcare 
providers read only access to his or her personal medical records but only 

1 0 wishes to grant write access to a select number of healthcare providers. 

These and other specifications and/or restrictions applied to access 
rights are entered by the patient into a personal electronic device 12 via a user 
interface 14 which may be integrated into the personal electronic device 12 or 
may be an external device provided by the healthcare provider. The personal 

15 electronic device 12 is an electronic device which is owned by or made 
available to the patient Examples of suitable personal electronic devices 12 
include chip cards such as smart cards, mobile- telephones and personal digital 
assistants. The personal electronic device must provide sufficient memory and 
processing capacity to execute commands which are stored in its memory. 

20 Ideally, all patients would be issued with a healthcare card including a 

chip capable of storing and processing data relating to access rights. The data 
could be entered via a dedicated chip card reader provided by the healthcare 
provider and the healthcare card could be carried by the patient at all times in 
case of emergency. In this example, the user interface via which access rights 

25 may be specified would be a keypad associated with the dedicated card reader. 

Once the patient's determinations for access rights have been entered 
into the personal electronic device 12 via a user interface 14, the personal 
electronic device's processing capacity is employed to generate a 
corresponding access authorisation message which specifies the access rights 

30 which the patient intends to grant to the healthcare provider. 

The access authorisation message further includes a digital signature for 
authentication purposes. A private encryption key based on public key 
infrastructure (PKI) issued to the patient by a Certification Authority 16 is used 
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to generate the digital signature. The private encryption key is stored on the 
personal electronic device for this purpose. 

The access authorisation message is transmitted from the patient to the 
healthcare provider together with the digital signature. Transmission to the 
5 healthcare provider may occur via the personal electronic device 12, for 
example by mobile telephone or could be transmitted using a personal digital 
assistant or via email directly to the healthcare provider's computer system 18. 
The healthcare provider receives the access authorisation message and 
transmits a request for access to the patient's medical records to the medical 

10 record database 10 together with the access authorisation message received 
from the patient The medical record database 10 may be accessible to the 
healthcare provider via a network such as the Internet in the case of a global or 
nationwide medical record database or alternatively could be accessible via a 
local area network (LAN) or other wide area network (WAN) in the case of an 

15 organisation specific medical record database. 

The medical record database 1 0 receives the request for access together 
with the access authorisation message and verifies that the access 
authorisation message originated from the patient whose medical records the 
healthcare provider wishes to access. Where the access authorisation 

20 message includes a digital signature generated by a private encryption key 
issued by a Certification Authority 16, the medical record database 10 will 
authenticate the origin of the access authorisation message using a public 
decryption key which corresponds to the private encryption key used to 
generate the digital signature. If the access authorisation message can be 

25 authenticated as originating from the patient, then access will be granted to the 
healthcare provider in accordance with the access policy provided by the 
patient. If the digital signature cannot be verified, access to the patient 1 s 
medical records is denied. 


30 corresponds to a healthcare provider to whom the patient has granted access 
rights. If the access authorisation message includes such an identifier, only the 
healthcare provider corresponding to the identifier will be granted access to the 
patients records. This feature is particularly applicable where the patient 
wishes to grant exclusive access rights to a single healthcare provider. 


The access authorisation message may include an identifier that 
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As an alternative to the verification process described, it is envisaged 
that for patients that are less technology savvy, a similar effect could be 
achieved by the patient issuing the healthcare provider with an alphanumeric 
string or password. The alphanumeric string or password could be derived from 
5 the Certification- Authority in much the same way that the patient obtains a 
private encryption key from the Certification Authority. This may entail the 
Certification Authority issuing the patient with a number of alphanumeric strings 
or passwords to accompany access authorisation messages specifying different 
access scenarios. The alphanumeric string or password could be transmitted to 

10 the healthcare provider in written form or verbally to overcome the problem of 
patients who do not have access to personal electronic devices such as mobile 
telephones and personal digital assistants. This method will of course provide 
the patient with somewhat less flexibility and security than association of the 
digital signature with the access authorisation message. 

15 Referring now to Figure 2, the patient performs the following steps to 

grant a healthcare provider access to the patient's personal medical records. 
The patient determines what type of data the patient wishes to permit the 
healthcare provider to view, add to or modify 20. The patient also determines 
the period of time the data will be accessible to the healthcare provider. The 

20 patient's determinations are entered into the personal electronic device via a 
user interface. 

The personal electronic device internally generates a creates a message 
that containing patient identification data, access limitations (e.g. 'read 
only/write only 1 or 'diagnostic images only 1 ), and access time limits which have 

25 been determined by the patient 22. This message is the access authorization 
message and has a standardized format. For example, an access authorisation 
message could be issued by patient X to grant read and write access to all of 
patient X's diagnostic images for the next two days. 

The personal electronic device adds a digital signature to the access 

30 authorisation message. The digital signature is based on a private encryption 
key based on public key infrastructure (PKI). The private encryption key is 
stored permanently in the memory of the personal electronic device and cannot 
be directly accessed from outside the personal electronic device. The private 
encryption key can be integrated with the personal electronic device at the time 
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of manufacture (e.g. for smart cards), or could be transmitted through a secure, 
encrypted data connection using dependable patient authentication (e.g. for 
mobile telephones or personal digital assistants). In the event that a personal 
electronic device is lost or stolen, the Certification Authority can issue a new 
5 private encryption key and corresponding public decryption key and transmit the 
private encryption key to a new electronic device by suitable means. 
Unauthorised data access using the stolen personal electronic device is 
therefore negated. 


10 message has been issued by the patient's personal electronic device and 
ensures that the access authorisation message is not modified after issuing. 
The digitally signed access authorisation message is transmitted from the 
patients personal electronic device to the healthcare professional's computer 
system 24.. The access authorisation message may be transmitted via a public 

15 or wireless network in an encrypted form, or via a direct connection in case of a 
smart card inserted into a dedicated smart card reader made available by the 
healthcare provider. 

The access authorisation message is stored on the healthcare provider's 
computer system. It is sent to the medical record database when the 

20 healthcare provider wants to access, modify or add medical data to the patient's 
existing medical record 26. In case of data transfer through a public network 
such as the Internet, communication between the healthcare provider and the 
medical record database must be in a secure, encrypted form to prevent 
unauthorised access to the access authorisation method. The access 

25 authorisation method is transmitted either with every transaction request, or at 
the beginning of a data connection or session 28. 

The medical record database has access to the public decryption key 
which corresponds to the personal encryption key issued to the patient by a 
Certification Authority and stored on the patient's personal electronic device. 

30 The medical record databases uses the public decryption key to verify the 
digital signature accompanying the access authorisation message 30. If the 
digital signature can be decoded with the public decryption key, it is evident that 
the access authorisation message was issued with the patients personal 
electronic device. 


The digital signature is used to verify that the access authorisation 
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The healthcare provider requests to view or modify data in the patient's 
medical record held in the medical record database or may request to add 
medical data to the patient's medical record. The medical record database 
verifies that the data request or data submission complies with the access rights 
5 granted in the access authorisation message 32. In accordance with the 
access rights granted in the access authorisation message, the medical record 
database delivers or accepts and modifies data in the patients medical record 
as requested or provided by the healthcare provider 34. 

When the time limit specified in the access authorisation message has 
10 expired any further request for access will be denied. This prevents reuse of 
the access authorisation message by unauthorised users in the event that an 
access authorisation message is obtained in an unauthorised manner and also 
prevents abuse of access rights to patient medical records once treatment is 
complete. 

15 A single access authorisation message may be issued to more than one. 

healthcare provider. Therefore, Doctor A can email Doctor B to obtain a second 
opinion on a patients diagnosis. Doctor B can use the same access 
authorisation message as Doctor A to access the patients diagnostic test 
reports contained in the patients medical record held in the medical record 

20 database. 

Additional measures to improve security against unauthorised use of the 
patient's personal electronic device to can access to personal medical records if 
the device is lost or stolen, include using a personal identification number (PIN) 
or password known only to the patient. In this case, the personal electronic 

25 device will only issue an access authorisation message after the PIN or 
password has been entered. 

Alternatively, requiring a scan of the patients biometric data before 
issuing an access authorisation message can prevent unauthorized usage of 
the patients personal electronic device to gain access to personal medical 

30 records. The biometric scan could be for example, a fingerprint. In this case, 
the personal electronic device does not issue an access authorisation message 
until a biometric scan has been performed and verified as matching the 
biometric data stored on the personal electronic device. The advantage of a 
biometric scan such as a fingerprint scan over password or PIN protected 
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measures, is that is that an access authorisation message can be issued when 
even if the patient is unconscious in case of an emergency. 

In contrast to known systems used to control access to patient records, 
in accordance with the present invention access to the medical record database 
5 is not based on usemames and passwords issued to healthcare providers. 
Therefore, there is no need for the medical record database to store 
identification data relating to healthcare providers or to authenticate the identity 
of those healthcare providers requesting access to a particular patient's medical 
records. Instead, the medical record database verifies whether the patient has 

10 genuinely granted access to the healthcare provider to the patient's personal 
medical records, before any patient specific medical data is revealed or 
modified. Provided that the authenticity of the access authorisation message 
can be verified, at no stage, is it necessary for the healthcare providers to verify 
their own identity. This saves time and avoids unnecessary complications. 

1 5 Implementation of the present invention could give confidence to patients 

that only those professionals directly involved in the patient's treatment are 
granted access to the patient's personal details including medical history, test 
results, and diagnostic images, etc. The patient is able to control access to 
personal medical records by means of limiting access to selected data, even for 

20 healthcare providers who are involved in the patients treatment. Using the 
method and system outlined, the patient can control who is able to view or 
modify personal medical records and can limit access to those individuals 
and/or organizations that the patient trusts. This leads to enhanced privacy in 
large medical databases and will no doubt increase acceptance of mass 

25 storage of electronic medical data by the public 

It is to be understood that various additions, alterations and/or 
modifications may be made to the parts previously described without departing 
from the ambit of the invention. 


30 
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1. A method for controlling the access of healthcare providers to the 
medical records of a patient held in a medical record database, the method 

5 including the steps of: 

(a) the patient determining access rights to be granted to one or more 
healthcare providers; 

(b) generating an access authorisation message which specifies the access 
rights; 

10 (c) transmitting the access authorisation message from the patient to one or 
more healthcare providers; 

(d) transmitting the access authorisation message together with a request 
for access to the patient's medical records from the healthcare provider to the 
medical record database; 
15 (e) verifying that the access authorisation message originated from the 
patient; 

wherein the healthcare provider is granted access to the patients 
medical records in accordance with the access authorisation message if it can 
be verified that the access authorisation message originated from the patient 
20 whose medical records the health provider wishes to access. 

2. A method according to claim 1, wherein verification that the access 
authorisation message originates from the patient involves authenticating a 
digital signature accompanying the access authorisation message. 

25 

3. A method according to claim 2, wherein the digital signature is generated 
by a private encryption key associated with the patient and the medical record 
database authenticates the digital signature using a public decryption key which 
corresponds to the private encryption key. 

30 

4. A method according to any one of claims 1 to 3 f wherein the access 
rights determined by the patient are entered into a personal electronic device 
via an associated user interface and the personal electronic device generates 


WO 2004/102393 PCT/AU2004/000665 

13 

the corresponding access authorisation message for transmission to the 
healthcare provider. 

5. A method according to claim 4, wherein the personal electronic device 
5 includes a private encryption key associated with the patient which is used to 
generate the digital signature which accompanies the access authorisation 
message. 


6. A method according to any one of claims 1 tp 5, wherein the access 
1 0 authorisation message includes one or more of the following restrictions: 

(a) a time interval during which access is authorised; 

(b) a category of medical data to which access is authorised; or 

(c) a type of access which is authorised. 

15 7. A method according to any one of claims 1 to 6, wherein the access 
authorisation message includes an identifier corresponding to the healthcare 
provider to whom access is granted by the patient. 

8. A method according to any one of claims 1 to 7, wherein the medical 
20 record database is accessible to healthcare providers over a network. 

9. A method according to any one of claims 4 to 8, wherein the personal 
electronic device is password protected. 

25 10. A method according to any one of claims 4 to 8, wherein the personal 
electronic device is activated using one or more forms of biometric data 
associated with the patient 

11. A method according to claim 1, wherein the medical record database 
30 verifies that the access authorisation message originated from the patient using 
a password transmitted by the patient to the healthcare provider together with 
the access authorisation message. 
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12. A system for controlling the access of healthcare providers to the medical 
records of a patient held in a medical record database, the system including: 
(a) an input component for entering patient determined access rights to be 
granted to one or more healthcare providers; 

5 (b) a processor for generating an access authorisation message that 
specifies the access rights; 

(c) a first transmitter for transmitting the access authorisation message from 
the patient to one or more healthcare providers; 

(d) a second transmitter for transmitting the access authorisation message 
10 together with a request for access to the patients medical records from the 

healthcare provider to the medical record database; 

(e) a verification component for verifying that the access authorisation 
message originated from the patient; 

wherein the healthcare provider is granted access to the patients 
15 medical records in accordance with the access authorisation message if it can 
be verified that the access authorisation message originated from the patient 
whose medical records the health provider wishes to access. 

13. A system according to claim 12, wherein the verification component 
20 verifies that the access authorisation message originates from the patient by 

authenticating a digital signature accompanying the access authorisation 
message. 

14. A system according to claim 12 or 13, wherein the processor is provided 
25 as part of a personal electronic device selected from one of the following: 

(a) smart card; 

(b) mobile telephone; or 

(c) personal digital assistant. 

30 15. A system according to claim 14, wherein the input component is a user 
interface associated with the personal electronic device. 

16. A system according to claim 14 or 15, wherein the processor stores a 
private encryption key associated with the patient, the private encryption key 
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being used to generate the digital signature and the verification component 
authenticates the digital signature using a public decryption key which 
corresponds to the private encryption key. 

5 17. A system according to any one of claims 12 to 16 wherein the medical 
record database is accessible to healthcare providers over a network. 

18 A system according to any one of claims 14 to 17 wherein the personal 
electronic device is password protected. 

10 

19. A system according to any one of claims 14 to 17, wherein the personal 
electronic device is activated using one or more forms of biometric data 
associated with the patient. 

15 20. A method for controlling the access of healthcare providers to the 
medical records of a patient held in a medical record database substantially as 
herein before described with reference to the drawings. 

21 . A system for controlling the access of healthcare providers to the medical 
20 records of a patient held in a medical record database substantially as herein 
before described with reference to the drawings. 
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